Friday, October 21, 2011

Did you know you can now use two-factor authentication with your Google account? Think about it: most people use a single username/password combination to gain access to a system-wide array of services in the Google universe. Gmail, AdSense, Blogger, Analytics, Docs, etc, is a whole lot to leave vulnerable to the single username and password approach. And it’s easier than you think for a hacker to acquire your password without your knowledge.

Recently, Google has made two-factor authentication available as a login option worldwide. Two factor authentication in its most basic definition is this: A) something you know (your trusty old Google username/password); and B) something you have (a key or one-time passcode that regenerates every 60 seconds). In short, A + B = access to your account. You need both. So even if your password got sniffed, or you left it in your stolen wallet somewhere, the hacker would still need a unique code to complete the login process.

Google makes it easy, too. The idea is after you login using your normal user/pass (A... something you know), you will be asked for a unique piece of information, a code, to complete authentication (B... something you have), to verify your identity. The code is something your smart phone can provide for you. Simply download an app (iPhone, Android, and Blackberry are supported). The app generates a code based on an algorithm that Google and your smart phone app have in common. Or if you prefer, a regular cell phone can be used (a txt message will arrive with the code embedded). The code is only good for 60 seconds, and then it expires and another code is generated.

So why bother? Your account will be a lot safer if you enable two-factor authentication, especially if you're a regular user of multiple Google products. Heck, it even makes sense even if you just have Gmail. Lock it down, people!
Google has prepared a great set of instructions to help you get started. Go to www.google.com/account to find out more.

Wednesday, October 12, 2011

“What nobody tells people who are beginners — and I really wish someone had told this to me . . . is that all of us who do creative work, we get into it because we have good taste. But there is this gap. For the first couple years you make stuff, and it’s just not that good. It’s trying to be good, it has potential, but it’s not. But your taste, the thing that got you into the game, is still killer. And your taste is why your work disappoints you. A lot of people never get past this phase. They quit. Most people I know who do interesting, creative work went through years of this. We know our work doesn’t have this special thing that we want it to have. We all go through this. And if you are just starting out or you are still in this phase, you gotta know it’s normal and the most important thing you can do is do a lot of work. Put yourself on a deadline so that every week you will finish one story. It is only by going through a volume of work that you will close that gap, and your work will be as good as your ambitions. And I took longer to figure out how to do this than anyone I’ve ever met. It’s gonna take awhile. It’s normal to take awhile. You’ve just gotta fight your way through.”

I mentioned technologies such
as Lastpass, 1Password and Passpack that help manage your online
security and provide some serious convenience in the process. However,
other than mentioning the technologies I liked, I did not really
prescribe a specific path to help protect your identity and your
accounts.

Of course, the easiest thing to do is do nothing. I
am going to make some recommendations from the easiest to options that
take a little more effort. Obviously, the path of least resistance also
is the most vulnerable in terms of online security.

Option 1 - Easy

If you are the kind of
person who uses a single password for everything that requires you to
sign-up, you should really rethink that strategy. At the very least,
use a different password for those accounts that are tied to online
banking, and anything related to your personal finances (e.g. Paypal
Account, money management, and commerce sites like Amazon.com). This
password should be at least eight characters long and have some
combination of upper and lower case letters, numbers and special
characters like punctuation. Also, if you have not changed your
passwords to these accounts in more than a couple of years, you should
set a reminder to change your passwords at least every couple of years
if not more frequently.

Option 2 - Moderate

Using a technology
like Lastpass can not only help make your online activity more secure,
it provides some added convenience like automatically logging you into
frequently used sites after you put in your master password when you
start your computing session. In some ways, this option might seem less
secure than putting in your password manually each and every time, but
one way that potential threats make you vulnerable is through
key-logging software that tracks your typing history and is an effective
method to extract passwords. If lastpass is automating the login, than
you are not using the keyboard to type your password. Lastpass gives
you the option to login to the service using an on-screen keyboard which
would also prevent key-logging. Lastpass and other similar services
also allow you to generate unique and random passwords for each site
which is a great method to keep you secure. Since you are not having to
remember the passwords that are generated, you can use a stronger
password combination and length than what you would typically try to
remember.

Option 3 - More Involved

As you might
guess, this is the option I recommend and use myself. The most secure
method of online password protection is called multi-factor
authentication or two-factor authentication. This involves a two step
process to gain access to a account. Some companies like Google and
PayPal offer two-factor authentication when logging into those systems.
Lastpass also offers two-factor authentication when logging into this
system. As Lastpass manages all of your online identities and stores
this information in the cloud (encrypted of course), I prefer using a
more secure system for gaining access to all of my online passwords.

Enter the Yubikey by Yubico. This solution includes a
USB key that is required to be plugged into the computer before gaining
access to your Lastpass account. It’s called two-factor authentication
because both your master password is needed and the Yubikey USB device
is used. Brilliant! So, even if someone has your master password, they
can’t gain access to your password management system unless they also
have the USB key. Conversely, just having the USB key does you no good,
because you also need the master password. Also, the USB key is very
nondescript. Most people will pass if off as a thumb drive rather than a
security device. It can be placed on your keyring so that it’s always
with you.

I’ve chosen to use a Yubikey together with Lastpass,
however, I do not use Lastpass to gain access to my Gmail account as I
want a separate layer of protection for my email system. Gmail now
offers its own two-factor authentication system. Rather than a USB key,
I downloaded an app to my Android phone that generates a real-time
secondary passcode to be entered after you use your normal password.
Also, since Paypal is tied directly to my bank account, I use a
separate hardware based security key to gain access to my Paypal
account. The combination of these systems provides multiple layers of
security. For my banking information, I have configured Lastpass to
prompt me for my master password (and Yubikey) before it will
automatically login to my account. You might see the precautions that
I’ve taken as extreme, but my perspective is that it’s easier than ever
for someone to hack their way into a whole treasure trove of personal
information.

For great technology advice sent directly to your inbox a few times a month, signup for my newsletter, called Citizen Savvy here.